This level of protection is likely to become the new norm in healthcare, said privacy and data security lawyer Kenneth Dort, who heads the technology workgroup in the Chicago office of Drinker Biddle & Reath. “This could be the first of a snowball rolling down hill,” he said.
The healthcare industry has been plagued with 1,265 major data breaches involving the exposure of nearly 135 million individuals' health records since the federal government began publicly posting breach reports in September 2009.
Meanwhile, improvements in monitoring technology and competition among service providers have crushed credit and fraud monitoring costs. Dort said a major credit reporting agency quoted him a bulk rate of 25 cents per person per year for monitoring the financial activities of individuals involved in larger breaches of 100,000 or more customers.
The Blues' pioneering offer comes in the wake of the largest healthcare data breach in U.S. history: the loss of some 80 million health plan records to a hacking incident reported in February by Indianapolis-based Anthem.
The effects of that breach spilled beyond Anthem's 14 Blues plans to other Blues-affiliated plans because of reciprocal payment relationships forged though the Blue Cross and Blue Shield Association's national Blue Card program.
In March, Premera Blue Cross, based in Mountlake Terrace, Wash., revealed that hackers had compromised its data systems and exposed 11 million members' records in several states in the Pacific Northwest.
Then in May, CareFirst Blue Cross, covering Maryland, the District of Columbia and Northern Virginia, announced it was the victim of a cyberattack affecting 1.1 million members.
“The point of this protection is to reduce and hopefully eliminate anything bad that is going to happen,” said privacy lawyer Kirk Nahra, a partner in the firm Wiley Rein in Washington. It could split the pool of affected potential plaintiffs and make it harder for their counsel to claim damages.
“If they offer it (credit protection) and you didn't take it, who's problem is that?” Nahra said.
Already, the Anthem breach has spawned hundreds of class-action lawsuits. Last month, many of the cases were transferred to and consolidated in the Northern District of California.
Lynn Toops, a lawyer with the Indianapolis firm of Cohen & Malad, which filed one of the Anthem suits, said credit monitoring has limited utility as a legal mitigation strategy. If identity thieves file a phony tax return with someone's information, she said, “credit card monitoring does nothing for that.”
But Lillian Ablon, a cybersecurity expert with the RAND Corp., said the new consumer protections are savvy marketing and a good legal strategy.